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Abstract 

We consider the problem of secret key extraction 
when n honest parties and an eavesdropper share cor- 
related information. We present a family of probabil- 
ity distributions and give the full characterization of 
its distillation properties. This formalism allows us 
to design a rich variety of cryptographic scenarios. In 
particular, we provide examples of multipartite prob- 
ability distributions containing non-distillable secret 
correlations, also known as bound information. 



1 Introduction 

Many cryptographic applications nowadays are based 
on computational security. In this type of proto- 
cols, the security is based on two assumptions: (i) 
the computational capabilities of an eavesdropper are 
bounded and (ii) a conjecture on the computational 
complexity of some mathematical problems. The ad- 
vent of quantum computing however sheds doubts on 
the medium-term applicability of these schemes. In- 
deed, Shor's algorithm [16] will allow an eavesdropper 
provided with a quantum computer breaking many of 
the now commonly used schemes, such as RSA. 

There is a second type of security which is clearly 
the strongest one: information-theoretic security. 
This type of protocols are secure against attacks us- 
ing unlimited resources, since the security is simply 
guaranteed by known results of Information Theory. 
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The first step in this direction was already given in 
1949 by Shannon [15]: such a level of security could 
only be attained by honest parties initially sharing 
a secure secret key. An example of a completely se- 
cure way of information encryption is given by the 
one-time pad [18]: in this scheme the honest parties 
share a private key. The message is summed (XOR) 
bitwise with the common key and sent through the 
insecure public channel. The receivers owning the 
key can read the sent information performing a sec- 
ond bitwise XOR, while no information on the mes- 
sage is accessible to anybody with no access to the 
key. It turns out however that (i) this protocol works 
only when the parties willing to interchange the in- 
formation share a private key of the same length as 
the message to be encrypted and (ii) the key cannot 
be reused. Moreover, the following question arises 
in a natural way: how is the key generated? It was 
later shown by Maurer that a secure key cannot be 
generated from nothing [11]. More precisely, the hon- 
est parties cannot establish a key by a protocol con- 
sisting of local operations and public communication 
(LOPC). Therefore, a necessary requirement for key- 
agreement is that the honest parties share prior cor- 
relations that are partially secret. 

These pessimistic statements were somehow rela- 
tivized in [11, 12], where it was proven that an arbi- 
trary weak level of correlation and privacy can be in 
some cases sufficient for generating a key. Further- 
more, Quantum Cryptography protocols [2, 8] have 
been shown to provide an efficient way for establish- 
ing these initial partially secret correlations. Indeed, 
it is a crucial problem in most of Quantum Cryp- 
tography protocols how to transform into a perfect 
secret key the noisy and partially secret data dis- 
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tributcd among the honest parties through quantum 
channels. As said, this key wiU later be consumed 
for sending private information by means of one-time 
pad. 

In this work, we study the inter-conversion among 
different kinds of secret correlations in a multipartite 
scenario, where n honest parties and an eavesdropper 
have access to common information. More precisely, 
each party, including the eavesdropper, has many re- 
alizations of a random variable. These n + 1 random 
variables are correlated through a known probability 
distribution. Since the secrecy content of these cor- 
related data is non-increasing under LOPC, this set 
of transformations is considered as a free resource. 
That is, the honest parties are allowed to perform 
any local operation on their data and to communi- 
cate through a public, but authenticated, channel. 
Given an initial probability distribution P, we focus 
on two questions: (i) can P be generated by LOPC? 
and (ii) can perfect secret bits be extracted from P 
by LOPC? 

A family of probability distributions is introduced, 
allowing the construction of several examples (see be- 
low) with a huge variety of distillation properties. In 
particular, for each probability distribution we can 
answer the previous two questions (i) and (ii). Note 
that we do not consider the problem of how these cor- 
relations arc generated, that is, they will appear as 
an initially given resource. However, there have been 
proposed different ways of establishing partially se- 
cret correlations, such as the satellite model by Mau- 
rer [11], or Quantum Cryptography [2]. The ana- 
lyzed techniques can be used to prove the existence 
and activation of bound information, a cryptographic 
analog of bound entanglement, first conjectured in 
[9] (see also [7]). We finally discuss the connection of 
these techniques with previous results on entangle- 
ment transformations in Quantum Information The- 
ory. 

1.1 Examples 

In this section we present some examples of multi- 
partite secret correlations showing interesting distil- 
lability properties. These probability distributions 
are explicitly constructed in section 4.6. In the fol- 



lowing examples, we consider n separated parties 
{Ai,A2, . . . , An}- Throughout the article, whenever 
we say that a subset of k parties are together, or form 
a group, we mean that they can perform fc-partite 
joint secret operations. This can be done by meeting 
at the same place, or by sharing a sufficiently large 
fc-partite secret key. 

Example 1. n honest parties can distill a secret 
key if at least 70% of them cooperate in the protocol, 
independent of the fact that they join or not (the 
choice of 70% is arbitrary). 

Example 2. Probability distribution of n honest 
parties where distillation is possible if, and only if, the 
cooperating parties join in groups of at least k people, 
independently of how many parties participate in the 
distillation protocol. 

The previous two examples can be considered as el- 
ementary conditions on distillation. In the following 
two examples we combine them with different logi- 
cal clauses (AND and OR), in order to obtain more 
sophisticated distillation scenarios. 

Example 3. n honest parties can obtain a secret 
key if, and only if, at least 70% of them cooperate in 
the protocol, AND, they join in groups of at least k 
people. 

Example 4. n honest parties can generate a se- 
cure key if, and only if, at least 70% of them cooper- 
ate in the protocol, OR, the cooperating parties join 

in groups of at least k people, or both. 

In the previous examples all the parties played the 
same role. In the following some specific parties have 
a different status, that is, the possibility of distillation 
may depend on their actions. 

Example 5. Distribution of n honest parties 
where distillation is possible if, and only if, the par- 
ties AiAj participate in the protocol and remain to- 
gether, independently of how many others cooperate 
and how they distribute in groups. The same can be 
done but imposing that parties AiAj must remain 
separated. 

It is now clear that one can design probability 
distributions showing unlimited intricate distillation 
properties. 



2 



2 Bipartite secret correlations 

In 1993, Maurer introduced the information-theoretic 
key-agreement model, generalizing previous ideas by 
Wyner [19] and Csiszar and Korner [3]. In his origi- 
nal formulation, two honest parties (Alice and Bob) 
are connected by an authenticated but otherwise inse- 
cure classical communication channel. Additionally, 
each party including Eve — has access to correlated 
information given by repeated realizations of the ran- 
dom variables A, B and E (possessed by Alice, Bob 
and Eve respectively), jointly distributed according 
to P(j4, S, E). From now on, we denote by the same 
symbol, X , a random variable, AT, as well as the value 
it can take, x, e.g. P{X) = Px{x). The goal for Al- 
ice and Bob is to obtain a common string of random 
bits for which Eve has virtually no information, i.e. 
a secret key. The maximal amoimt of secret key bits 
that can be asymptotically extracted per realization 
of [A, B) used, is called the secret-key rate, denoted 
by S{A : B \\ E) or S. More precisely, this quantity 
is defined as the largest real number such that for all 
e > 0, one can find an integer Nq and a two-way com- 
munication protocol for Alice and Bob transforming 
N > No realizations of A and B into random vari- 
ables Sa and Sb satisfying 

P[Sa = Sb^X] > 1-e 
H{X) = \og{\X\) > {R-e)N 

IiX:CE^) < e, (1) 

where X is another random variable and C denotes 
the communication exchanged during the protocol. 

Therefore, the secret-key rate quantifies the amount 
of secret-key bits extractable from a probability dis- 
tribution. 

More recently, another measure for the secrecy 
content of P{A, B, E), the so-called information of 
formation Iform{A : B\E), has been introduced in 
[14]. Intuitively, it can be understood as the mini- 
mal number of secret-key bits asymptotically needed 
to generate each independent realization of {A, B) 
— distributed according to P(A, B) , such that the 
information about {A, B) contained in the messages 
exchanged through the public channel, C, is at most 
equal to the information in E. More precisely, /form 



is defined as the infimum over all numbers i? > 
such that for all e > there exists an integer N, and 
a protocol with communication C that, with proba- 
bility 1 — e, allows Alice and Bob, knowing the same 
random [i?Af]-bit string X, to compute A^ and B'^ 
such that 

P(A^, 5^, C) = Y. [^(^' ^' PiC\E''), (2) 

EN 

where P{C\E^) defines a channel [14]. According to 
this definition, we say that a probability distribution 
P can be established by LOPC if, and only if, /form = 
0. Note that this statement does not mean that the 
result of the corresponding LOPC formation protocol 
is necessarily P, but it is a distribution P' at least as 
good as P from Alice and Bob's point of view. More 
concretely, P' can be obtained from P by processing 
Eve's information, in the sense of Eq. (2). 

Information of formation and secret-key rate are 
two measures of the secrecy content of a probability 
distribution with a clear operational meaning: /form 
quantifies the amount of secret-key bits required for 
the formation of P{A,B,E), while S specifies the 
amount of secret bits extractable from P{A, B, E). 

A useful upper bound for S is given by the so- 
called intrinsic information, introduced in [12]. This 
quantity, denoted by I{A : B i E) ov more briefly /|, 
will play a significant role in the proof of our results. 
The intrinsic information between A and B given E 
is defined as: 

I{A:B IE) = min I{A : B\E) , (3) 

E^E 

where the minimization runs over all possible stochas- 
tic maps Pe\e defining a new random variable E. 
The quantity I {A : B\E) is the mutual information 
between A and B conditioned on E. It can be written 

as 

I{A : B\E) = H{A,E)+H{B,E)-H{A,B,E)-H{E) , 

(4) 

where H{X) is the Shannon entropy of the random 
variable X. The intrinsic information also gives a 
lower bound for the information of formation [14], 
thus 

S<h< /form . (5) 
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3 Multipartite secret correla- 
tions 

The generalization of Maurer's formulation to the 

multipartite scenario is straightforward. Consider a 
set of n honest parties Q = {A\,A2, 4^} con- 
nected by a broadcast public communication chan- 
nel which is totally accessible to the eavesdropper 
but which is tamper-proof. Each of the parties (in- 
cluding Eve) has access to the correlated informa- 
tion contained in many realizations of its correspond- 
ing random variable. We denote by Ai the random 
variable corresponding to party Ai- Eve's random 
variable is also denoted by E. In the whole paper 
curly capital letters refer to parties and sets of par- 
ties, while normal capital letters refer to random vari- 
ables. In this scenario, general secret correlations are 
represented by probability distributions of the form 
P{A-\_, . . . ,An,E). That is, all random variables in 
each realization are correlated according to P, and 
each realization is independent of the others. 

One possible goal for the honest parties is to obtain 
an n-partite secret key. Sometimes this is not possi- 
ble, but still, a subset of m parties (with 1 < m < n) 
can get an m-partite key. Therefore, there are many 
different senses in which a distribution P is (or is 
not) distillable. In order to get rid of such ambiguity 
we choose the strongest definition of non-distillability. 
We say that a distribution P is non-distillable if there 
does not exist any pair of parties, capable of obtaining 
a secret key by LOPC, even with the help of the oth- 
ers. For similar reasons, in the multipartite scenario 
there may be many ways of defining the secret-key 
rate. But, in this paper we only use the secret-key 
rate in bipartite situations, where the definition is 
unique. In general, considering bipartite splittings of 
the parties will prove to be a very useful tool for ob- 
taining necessary conditions in the multipartite sce- 
nario. 

3.1 Bipartite splittings 

We denote by V any subset of Q, and by V its com- 
plement (the set of all elements in Q not belonging to 
V). Each bipartition of Q can be specified by giving 



one of the halves, say V. 

The following two lemmas concerning any n-party 
distribution refer to their distillation and formation 
properties. 

Lemma 1: A necessary condition for obtaining an 
n-partite secret key is that: for all hipartitions P of 
Q, when all parties within each half are together, a 
bipartite secret key between V and V can be obtained. 

Proof: Suppose the distribution can be distilled 
into an n-partite secret key. The same must hold 
when some of the parties are together. In particular, 
a bipartite key between the groups V and V can be 
obtained, for any V. Therefore, the last is a necessary 
condition. □ 

Lemma 2: A necessary condition for the correla- 
tions specified by P being generated by LOPC is that: 

for all bipartitions P of Q, when all parties within 
each half are together, the resulting bipartite distribu- 
tion can be generated by LOPC. 

Proof: Suppose the distribution can be generated 
using LOPC by the n honest parties. The same must 
hold when some of the parties are together, in partic- 
ular, for the bipartite splitting P and P. Therefore, 
the last is a necessary condition. □ 

4 A family of multipartite 
probability distributions 

In this section we present a family of probability dis- 
tributions, denoted by Pq, exhibiting a variety of dis- 
tillation properties. The examples described in sec- 
tion 1.1 are particular instances of this family. 

4.1 Notation and definitions 

From now on, we restrict the random variables of 
the honest parties Ai, . . . , An to take the values 0, 1. 
Eve's random variable E can however have a wider 
range. In the remainder, unless explicitly mentioned. 
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quantities between square brackets [,s] arc to be un- 
derstood as (n — l)-bit strings. That is, we associate 
with each integer s e {0, 1, . . . 2"-^ - 1} the (n - 1)- 
bit string corresponding to its binary expansion, and 
denote this by [s] . We denote by [s] the string where 
all bits have the opposite value than in [s]. As an 
instance, suppose n — 1 = 3, wc have that [2] = 010 
and [2] = 101. We will use bit strings [s] to label the 
outcome of the first (n — 1) variables Ai,. . . , An-i; 
for example Ai . . . An-i = [s\. 

In what follows, we also use bit strings [s] to specify 
bipartitions of the set of n parties Q. The subset 
V[s] C Q is defined in this way: Ai £ V[s] if the i*^ 
bit of [s] is one. Notice that An always belongs to 
■P[j,]. In this way, we associate with each (n — l)-bit 
string [s] a bipartition of Q. As an example suppose 
Q = {^1,^2, A3}, the string 01 corresponds to the 
bipartition {A2) — (Ai ^3), and, 00 corresponds to the 
trivial bipartition () — 

Let us denote by Pq,{Ai, . . . An,E) the following 
family of probability distributions. 





. . An-l 


An 


E 


Pu 




[0] 





[0]0 or [0]1 






[0] 


1 


[ojo or [ojl 


^[01 




[1] 





[1]0 


^[1] 




[1] 


1 




^[1] 




[s] 





WO 


%] 




[«1 


1 


[a-]l 


%] 


[2" 


-1-1] 





[2"-i - 1] 


0[2»i-i_i] 


[2" 


-1-1] 


1 


[2"-i - 1] 1 


rif2'.-i-ii 



In this table, each row corresponds to a different 
event. For example, in the first row event, the 
obtained outcomes are {Ai . . . An) = (0 ... 0) and 
E = "[0]0 or [0]1", and this happens with probabil- 
ity 0[o]. As can be seen, the 2" events are grouped 
in equiprobable pairs. Notice that Eve always knows 



the value oi Ai . . . An, except in the first two events, 
where she obtains the outcome "[0]0 or [0]1" indepen- 
dently of which is the actual one. The parameters of 
Pq arc the positive numbers Q[q], . . . , 5^[2"-i-i]j only 
constrained by the normalization condition: 



A simple example of Pq can be found in section 5.1. 
4.2 Bipartitions 

Let us study the bipartite properties of Pq. In the 
following lemmas, it is assumed that all parties within 
each half. Vis] and 'P[s], are together. 

Lemma 3: A bipartite secret key between the parts 
■P[s] and V[s] can be obtained if, and only if, Sl^g^ < 
r2[o]- 

Proof: To prove the if statement we only have to 

provide an explicit distillation protocol. This proto- 
col has two steps. In the first step, the honest parties 
discard all realizations of Pq in which not all the vari- 
ables within each half ("Pj^j and Vis]) have the same 
value. This operation only filters the following events: 

{A,... An-l An) = [0]0, [Ojl, [s]0, [s]l. (7) 

The filtered probability distribution is, up to normal- 
ization: 
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Where Pj,] = Ai for all i such that Ai € P[s], and 
analogously for Pj^j and V[s] ■ Notice that this is well- 
defined because all parties in V[s] ('^[s]) have obtained 
the same outcome. The second step is the repeated 
code protocol, explained in the Appendix. There, it 
is shown that this protocol generates a secret key if 
f2[o] > fl[s], as we wanted to prove. 



5 



The only if part can be proven by showing that the 
intrinsic information of this partition is zero, : 
V[s] i E) = 0, when fijoj < 12[s]. For doing so, we 
perform the foUowing stochastic map E E: HE 
is equal to [s] or [s] 1, we assign E := "[0]0 or [0]!" 
with probabiUty ri[o]/r2[s], and, with probabihty 1 — 
^[o]/^[s] we assign E := E. In the rest of the cases 
we also assign E := E. It is easy to check that I{V[s\ '■ 
V[s]\E) = 0, which ensures that I{V[,] : ^[^j I E) = 
0. Now, the upper bound (5) implies that the secret- 
key rate must be also zero. In other words, we have 
that when fijg] < ^[s] 

S{-p^,y.r^4E)=0, (8) 

which completes the proof. □ 

Lemma 3 provides a tool for designing distribu- 
tions with involved distillation properties. Suppose 
that, in order to distill a secret key, the n parties 
join in two groups according to the bipartition V[s]- 
Now, we can choose in which of these bipartitions 
distillation will be possible, and in which not. We set 
Q[s] = 0, if we allow the parties to obtain a secret 
key when arranged according to V[s] ■ Notice that for 
non-trivial bipartitions [s] ^ [0]. We set n^s] = ^[o], 
if we forbid distillation when the parties are arranged 
according to 'P[s]- Finally, we set r2[o] such that the 
normalization condition (6) is satisfied. Notice that 
we have as many free parameters as there are possible 
bipartitions. 

4.3 Multipartitions 

Lemma 3 tells us how to construct probability distri- 
butions Pq, choosing independently which bipartite 
splits permit secret key extraction, and which do not. 
Next, we generalize Lemma 3 by considering situa- 
tions in which the n parties are joined in more than 
two groups. Of course, this includes the case where 
the n parties are all separated. Let us introduce some 
notation first. 

An m-partition of Q is given by m disjoint subsets 
Qi, • • • , Qm C Q such that Qi U • • • U Q„ = Q. As 
before, we consider that the parties within each sub- 
set Qi are together. We use Qi to denote the binary 
variable associated with "party" Qj. 



Lemma 4: Consider an m-partition of Q, 
{Qi, ■ ■ ■ , Qm}- -^n m-partite secret key among these 
groups of parties can be obtained if, and only if, for 
each bit string [s] such that its corresponding bipar- 
tition V^s] does not split any set Qi, . . . , Qm, the in- 
equality fifg] < f2[o] holds. 

Proof: The only i/ assertion is just Lemma 1, but 
using the equivalence of Lemma 3. Let us prove the 
i/part by giving a protocol which is a generalization 
of the one given in the proof of Lemma 3. First, the 
honest parties discard all realizations of Pq in which 
there is at least one subset Qi containing variables 
with different values. Or equivalently, they reject 
all events Ai...An = [s]0, [s]l such that its asso- 
ciated bipartition V[s] splits at least one subset Qi. 
As usual, Qi — Ai for all i such that Ai S Qi. After 
this filtering operation the probability distribution is, 
up to normalization: 
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Notice that in the first column, we specify the value 
of the TO-bit string Qi . . . Qm with an n-bit string, say 
[s]0. This is well defined if we recall that, in all fil- 
tered events, the bits in [s]0 associated with the par- 
ties belonging to Qi, have the same value, and this 
value is the one assigned to the variable Qi. Now, 
the m parties perform the repeated code protocol to 
-Pa|fiitered- the Appendix it is shown that this pro- 
tocol works if the condition of Lemma 4 holds. □ 

4.4 Non-cooperating parties 

It is clear that a single party, say Ai , can always pre- 
vent the others from obtaining a secret key. To do so, 
she only has to make public the value of Ai in each 
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realization of Pq. After this procedure, Eve will know 
the value of each variable in the two events where all 
variables are equal: (Ai . . . An) = (0 ... 0), (1 ... 1). 
In the rest of events. Eve already knew the value of 
each variable. Therefore, by a non-cooperating party 
we do not mean a party who is against the others, but 
one that docs not want to be involved in the distilla- 
tion protocol. In this section, we generalize Lemma 4 
by considering the presence of non-cooperating par- 
ties. Let us first, introduce some notation. 

In what follows, when referring to the m disjoint 
subsets Qi , . . . , Qm C Q, we do not demand that 
they satisfy Qi U • • • U Qm = Q- In other words, they 
don't have to be an m-partition of Q. It is under- 
stood, that the parties not belonging to Qi U • • • U Qm 
do not participate in the protocol. Within all this sec- 
tion, primed quantities between square brackets [z'] 
have to be understood as (m — l)-bit strings. That is, 
we associate with each integer z E {{). 1, . . . , 2™^-^ — !} 
the (m — l)-bit string corresponding to its binary ex- 
pansion, denoted by [z']. As in the rest of the pa- 
per, unprimed integers between square brackets mean 
(n— l)-bit strings. We also denote by [z'j the (m— 1)- 
bit string where each bit has the opposite value than 
in [z']. Following the analogy, Pj^/j is a subset of 
{Qi, ■ • • , Qm} defined with the same convention as 
V[s]. That is, Qi belongs to V[^'] if the i^^ bit of 
[z'] has the value one. We define Viz'] analogously, 
which always contains Qm- We also use P[^/j to de- 
note bipartitions of {Qi, . . . , Qm}- Additionally, we 
associate with each bipartition of {Qi, . . . , Qm} some 
bipartitions of Q, in the following way. We say that 
'P[s] is associated with Pj^/j if V[s] contains all parties 
belonging to the subsets Qi such that Qi G 
and, does not contain any party belonging to the 
subsets Qi such that Qi G V[z']- Notice that the 
non-cooperating parties, the ones not belonging to 
Qi U • • • U Qm , may or may not belong to Pj^j . There- 
fore, there can be many V[s] associated with one Pj^/j . 
We also extend this relation to bit strings in a natural 
way: we say [s] ~ [z'] if V[s] is associated with P^^,/] . 

Theorem 5: An m-partite secret key among the 
groups of parties Qi,. . . , Qm can be obtained if, and 
only if, for each bipartition of these m groups P[2'], 



the inequality 

E "W<"[0] (9) 
vM^[z'] 

holds. 

Proof: As in the previous cases, we prove the if 
assertion by giving a protocol that works under the 
stated conditions. The usual protocol is readily gen- 
eralized to fit this case: The cooperating honest par- 
ties discard all realizations of Pq for which there is 
at least one group Qi. in which not all the variables 
are equal. Or equivalently, they reject all events 
A\...An = [s]0, [s]l such that, its corresponding 
bipartition V[s] splits at least one subset Qi. Notice 
that in the filtered events, the non-cooperating par- 
ties' variables can have any value. After this filtering, 
the probability distribution is, up to normalization: 
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As usual, Qi = Ai for all i such that Ai G Qi. 
As shown in the Appendix, the repeated code pro- 
tocol works with Pn| filtered if; for condition 
(9) holds. To prove the only if part, let us suppose 
that there exists at least one string [z'(^ such that 
(9) is not satisfied. According to Lemma 1, when the 
groups Ql, . . . , Qm can distill an m-partite secret key, 
a bipartite key is also obtainable when the m groups 
are joined in just two groups. This must hold for any 
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bipartition of {Qi, . . . Qm}, say [z'q]. Let us see that 
this is impossible when 

^[s] > ^[0] (10) 

VlsMz'„] 

holds. As in the proof of Lemma 3, we show 
that the secret-key rate between V[z'g] and V[z'^] is 
zero, by computing the intrinsic information between 
these two parts. To do so, we perform a similar 
stochastic map E ^ E: li E = [z']0 or E = 
[z']l we assign E ="[0]0 or [0]1" with probability 

^[0]/ X)v[s]~[2') ^[«]- ^^^^ cases E = E. 

It is easy to check that 

7(P[,,] :P[,,]|^)=0, (11) 

which implies the above mentioned impossibility. □ 

4.5 Correlations without secrecy 

In this section, wc will characterize those Pq that can 
be established by LOPC. This is the content of the 
following theorem. 

Theorem 6: A probability distribution Pq can be 
generated by LOPC if, and only if, for all bipartite 
splittings V[s] , 

> ^[0] (12) 

holds. 

Proof: Let us start by the only if part. In the 
proof of Lemma 3 we have seen that whenever > 
0[o], the intrinsic information for the corresponding 
bipartite splitting is zero, I{Pis] '■ 'Pis] i E) = 0. It 
has been proven in [14] that Jj, = if, and only if, 
inform = 0. This result and Lemma 2 imply that (12) 
is a necessary condition for Pq being generated by 
LOPC. 

For the if part of the proof, we proceed as fol- 
lows. First, we introduce a probability distribution 
Pq and prove it cannot be less secret than P^. This is 
done by showing that Pq can be obtained from Pq by 
degradating Eve's information; namely, there exists 
a map for Eve's random variable E —>■ E such that 
Pq — > Pq. Next, we give an explicit LOPC proto- 
col producing the probability distribution Pq without 



any additional resource. Thus, /form is zero for Pq. 
Then, it follows from the definition of information of 
formation that Pq has also /form = 0. 

With each Pq such that (12) holds for all [s], we 
associate the following distribution Pq 
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-1-1] 


1 
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-1-1] 





[2"-i - 1] 




[2» 


-1-1] 
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[2»-i - 1] 1 


f2[2"-i_ll - ^[0] 



Actually, Pq can be obtained from Pq after the 
following stochastic map on Eve's random variable, 
E ^ E. U E is equal to "[0]0 or [0]1" we assign 
E :="x". If E is equal to [s] ([s] 1), we assign E := 
"x" with probability n[o]/^[s]5 ^^d, with probability 
1— f2[o]/rJ[,,] we assign E := E. Now, we prove that all 
probability distributions Pq of that kind can be cre- 
ated with the following LOPC protocol. With proba- 
bility 2" fl[o] party Ai broadcasts the public message 

"x" . After receiving "x" , each party Ai 4„ locally 

generates a random bit A\. . .An. With probability 
^[s\ ~ ^[o]i ps-rty A\ broadcasts the public message 
[s]0 ([s]l). After receiving this message each party 
outputs its corresponding bit from the sequence [s]0 
([s]l). This implies /form = for Pq, and the same 



8 



result applies to Pq. □ 

4.6 Construction of the examples 

In this section we explicitly construct the examples 
that have been introduced at the beginning of the 
paper. This is done by repeatedly using Theorem 5. 

Example 1. Let us design a probability distribu- 
tion of n honest parties which is distillable if, and only 
if, more than m parties cooperate in the protocol. In 
other words, if n — m parties (or more) do not coop- 
erate, distillation is impossible. Consider the situa- 
tion where there are m cooperating parties. For each 
bipartition of them, V^z'], there are 2""™ different 
ways of distributing the n ~ m non-cooperating par- 
tics between the two groups. That is, there arc 2"~™ 
different bipartitions V^s] associated with V^z'] ■ If we 
set = f}[o]/2"-'" for all [s] ^ [0], equation (9) 
will be satisfied if, and only if, the sum 5^v[s]~[z'] ^[s] 
has less than 2"~™ terms, and this only happens if 
the number of cooperating parties is larger than m. 
Notice that 17 [oj is fixed by the normalization condi- 
tion (6). Because all Q[s] with [s] ^ [0] have the same 
value, distillation is possible even when the cooper- 
ating parties arc all separated. 

Example 2. Let us construct an n-party distri- 
bution, which is distillable if, and only if, the co- 
operating parties join in groups of at least k people, 
independently of how many parties do not cooperate. 
We denote by W[g] the number of ones that the bit 
string [s] has. We impose =0 for all strings with 
k < W[s] < n — k, and Q[s] = ^^[o] for the rest. As 
before, fJpj is fixed by the normalization condition 
(6). It is easy to see that, if there is a group of less 
than k parties, the bipartition having these k parties 
in one side and the rest in the other side, satisfies 
f2j<,] = ^[0], and this prevents condition (9) from be- 
ing satisfied. When all cooperating groups contain at 
least k people, all bipartitions that do not split any 
of the groups satisfy fij^j = 0, in this case, condition 
(9) holds independently of how many parties do not 
cooperate. 

Example 3. This n-party distribution is distill- 
able if, and only if,, more than m parties participate 
in the protocol, AND, they join in groups of at least 
k people. This is achieved with the following assign- 



ments. Wc set rj[,] = f7[o]/2"-'" if fc < W[s] <n-k, 
and = r2[oj otherwise. As in the example 2, if 
there is one group of less than k cooperating parties 
condition (9) docs not hold. Reasoning in the same 
fashion as in example I, if there are m or less coop- 
erating parties distillation is impossible. 

Example 4. This n-party distribution is distill- 
able if, and only if,, there are more than m cooper- 
ating parties, OR, they joint in groups of at least k 
people, or both. Wc set = if fc < W^s] <n — k, 
and n^^j = n[o]/2""'" for the rest. 

Example 5. This n-party distribution is distill- 
able if, and only if, parties AiAj cooperate and re- 
main always together. We suppose without loss of 
generality that i,j^n. If the i*^ and j*'^ bits of the 
string [s] have the same value wc set fl^g^ = 0, and 
~ ^[0] otherwise. It is clear that this fulfils our 
demand. A variation of this example is when distil- 
lation is possible if, and only if, parties AiAj remain 
separated. The construction of this case is closely 
analogous to the previous one. Now, we set = 
if [s] has different values for the i*^ and j*'^ bits, and 
f2[g] = Qjo] otherwise. 

5 Bound information 

Bound information represents the cryptographic ana- 
log of bound entanglement, an intriguing feature of 
some quantum states found by the Horodeckis in 
1998 [10]. In the bipartite case, bound information 
can easily be defined using the previously introduced 
quantities [9]: a probability distribution P{A,B,E) 
contains bound information when the following two 
conditions hold: 

S = 
/form > . (13) 

Therefore, P{A, B, E) has bound information when 
(i) no secret-key bits can be extracted from it by 
LOPC, but (ii) its formation by LOPC is impossible. 
In other words, the non-zero secrecy content of the 
probability is bound because secret correlations are 
necessary for its preparation but cannot be distilled 
into a pure form. There exist several results support- 
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ing the existence of this analog of bound entangle- 
ment in the bipartite case: in Refs. [7, 9] several 
probability distributions were constructed for which 
one can prove that /| is strictly positive but none 
of the known secret-key distillation protocols allow 
to extract secret bits. Moreover, it was shown in 
[14] that there exist probability distribution where 
S < /form- This already proves the irreversibility, 
in terms of secret bits, in the processes of forma- 
tion and key distillation for some probability distri- 
butions. Actually, the authors of [14] constructed a 
family of probability distributions where /form > 1/2 
while S can be arbitrarily small. Unfortunately, no 
example of P{A,B,E) such that = S < /form is 
known until now. 

Bound information was initially defined in the case 
of two honest parties. However, its generalization to 
the multipartite scenario is again straightforward: a 
probability distribution P{Ai, . . . , yl„, E) has bound 
information when (i) its formation by LOPC is im- 
possible and (ii) no secret-key bits can be extracted 
between any pair of parties by LOPC. In what fol- 
lows, we use the techniques described above in order 
to show the existence of multipartite bound informa- 
tion. We will do that for the case of three honest 
parties. Moreover, we will see that similarly to what 
happens in the quantum case, bound information can 
be activated: the combination of different probabil- 
ity distributions with bound information may give a 
distillable probability distribution. 

5.1 Proof of the existence of bound in- 
formation 

In this section we prove the existence of bound infor- 
mation in the tripartite scenario. In order to do that 
we give a probability distribution P{Ai, A2, A^, E) 
and show that its formation by LOPC is impossible 
but no secret-key bits can be extracted from it by the 
honest parties using LOPC. Although these results 
already appear in [1], here we review them using the 
formalism described in the previous section. 

Using the introduced notation, an example of tri- 
partite probability distribution having bound infor- 
mation reads as follows: 



A1A2 A3 


E 


Pi 


[0] 


[0]0 or [0]1 


1/6 


[0] 1 


[0]0 or [0]1 


1/6 


[1] 


[1]0 


1/6 


[1] 1 




1/6 


[2] 


[2]0 





[2] 1 


[2]1 





[3] 


[3]0 


1/6 


[3] 1 


[3]1 


1/6 



Note that the role played by A2 and A3 in Pi is the 
same, up to a relabelling of Eve's variables. 

Using Lemmas 1 and 3, it is relatively simple to see 
that no pair of parties can distill secret bits from this 
probability distribution. Consider, for instance, the 
partition A2 — {A1A3), corresponding to [s] = [1] = 

01. Because of Lemma 3, no distillation is possible 
since = 0[o] =1/6. Then, Lemma 1 implies that 
A2 can distill secret bits neither with Ai nor with 
A3. Because of the symmetry of the distribution, the 
same result holds for {A1A2) — A^. Therefore no pair 
of parties can distill a secret key. Finally, consider 
the third partition Ai — (^2^3)- In this case, where 
[s] = [2] = 10, we have fip] = < l^[o] = 1/6. 
That is, the probability distribution corresponding 
to this partition is distillable, which means that it 
could not have been created by LOPC. Using Lemma 

2, this implies that the initial probability distribution 
Pi cannot be created by LOPC either. This proves 
that the non-zero secrecy content of Pi is bound, i.e. 
it constitutes an example of bound information. 

The proof presented here is almost the same as in 
[1], having been adapted to the notation introduced 
above. Actually, the non-distillability of Pi could al- 
ternatively have been proven using Lemma 4. Note 
also that many of the probability distributions given 
above, such as Example 2, already constituted exam- 
ples of bound information. 

5.2 Bound information can be acti- 
vated 

The activation of bound entanglement is perhaps one 
of the most surprising results found in entanglement 
theory [5, 17]. Bound entanglement is said to be ac- 
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tivatcd whenever one can distill pure-state entangle- 
ment from the combination of several bound entan- 
gled states. Remarkably, in some cases this activation 
can be achieved by mixing different bound entangled 
states [6]! As it will be shown shortly, a similar fea- 
ture is observed for classical probability distributions. 

Consider the situation where three honest parties 
and an eavesdropper have access to correlated ran- 
dom variables described by Pi. In addition, they 
also have access to other random variables described 
by P2 and P3, where these two probability distribu- 
tions correspond to cyclic permutations, Ai — > — *■ 
As Ai, of Pi. Of course, Pi, P2 and P3 have 
bound information. Now, the three honest parties 
forget what the actual distribution is. Alternatively, 
one can think that a source is sending to the par- 
ties random variables correlated through Pi, P2 and 
P3 with equal probability, and the information about 
the prepared probability distribution is only accessi- 
ble to Eve. The resulting distribution, Presj can be 
described as 



^1^2 


A3 
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Pics 


[0] 





[0]0 or [0]1 


1/6 


[0] 


1 


[0]0 or [0]1 


1/6 


[1] 





[1]0 


1/9 


[1] 


1 




1/9 


[2] 





[2]0 


1/9 


[2] 


1 


[2]1 


1/9 


[3] 





[3]0 


1/9 


[3] 


1 


[3]1 


1/9 



It is now straightforward to see that this probabil- 
ity distribution is distillable, even in the fully multi- 
partite scenario where the three parties remain sep- 
arated. This follows from Lemma 4, since for all the 
partitions one has 1/9 < 1/6. Therefore, the combi- 
nation of non- distillable probability distributions pro- 
duces a distillable distribution. 

6 Conclusions 

In this work, we have presented a family of proba- 
bility distributions in the multipartite scenario of n 



honest parties and an eavesdropper. Using this fam- 
ily, we were able to construct different examples of 
probability distribution with a huge variety of secrecy 
properties. This rich variety of examples shows how 
intricate the structure of multipartite secret correla- 
tions is. Moreover, the introduced techniques allowed 
us to prove the existence and activation of bound in- 
formation, namely non-distillable secret correlations. 

We would like to mention here some analogies be- 
tween our results and the problem of entanglement 
manipulations in Quantum Information Theory (see 
Refs. [9, 4]). The intuition for the construction of 
the previous family of probability distributions came 
from the quantum states discussed in Refs. [5, 6]. In- 
deed, these distributions represent the cryptographic 
classical analog of these states. Moreover, the exis- 
tence of bound information, that was our initial moti- 
vation for this study, was conjectured in 2000 [9] as a 
classical counterpart of bound entanglement. In this 
sense, all these results constitute one of the first ex- 
amples where well-established ideas in Quantum In- 
formation Theory have successfully been translated 
to the classical side. Up to now, the flow of results 
has mainly been in the opposite direction. 

Unfortunately, the existence of bipartite bound in- 
formation, that is, probability distributions with non- 
distillable secret correlations, remains as an open 
question. Indeed, the existence of multipartite bound 
information exploited the possibility of considering 
splittings of the parties into different groups, some- 
thing impossible in the bipartite scenario. In this 
sense, it is an interesting issue to study how those 
quantum concepts that allowed to prove the existence 
of bound entanglement for quantum states, such as 
partial transposition [13], can be adapted to the key- 
agreement scenario. 

Appendix: Repeated code pro- 
tocol 

In this appendix, the repeated code protocol is de- 
scribed. Consider m separated parties Ai, . ■ . ,Am 
willing to generate an m-partite secret key. Each 
of these parties, say Ai, has access to many re- 
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alizations of its corresponding random variable Ai. 
Additionally, there is an eavesdropping party. Eve, 
who has access to a random variable E corre- 
lated to Ai through the probability distribution 
P{Ai, . . . , Am, E). Note that it is assumed that each 
realization of Ai, A2, . . . , A^, E, is independent of 
the other. Moreover, this probability distribution is 
known by all the parties. 

The first part of this key distillation protocol is 
implemented by the following three steps: 

1 . Each party takes N realizations of her own ran- 
dom variable: 



,(2) 



2. One of the honest parties — say Ai — generates 
locally a random bit fci, computes the N num- 
bers Xr := (A;i + A^''' mod 2) for r = 1, . . . , TV, 
and broadcasts through the public channel the 
A^-bit string: 



{Xi, X2, . . . , Xn) 



(14) 



3. All the remaining parties — in this case 
A2, ■ ■ ■ , An — perform the following operation. 

Party Ai adds bitwise the broadcasted string 



1(2) 



If he 



(14) to his symbols {Ay', A, 
obtains the same result for all of them, that is 
(Xr + A'f^ mod 2) fc, for r = 1, . . . , A, he 
accepts ki and communicates the acceptance to 
the other parties. If not, all parties reject the N 
realizations of Pq. 

The final step to attain a secret key uses as in- 
put many realizations of (fci, . . . , fcm). It consists of 
the one-way distillation protocol given by Csiszar and 
Korner in [3] . The fact that this protocol is designed 
for two parties is not a problem. In our case, one of 
the honest parties, say Ai, broadcasts all public mes- 
sages to the rest, who perform error correction and 
privacy amplification to their data. 



Let us analyze under which conditions a probabil- 
ity distribution belonging to the family Pq can be 
distilled into a secret key using this protocol. In the 
usual notation, a probability distribution Pq reads 



Al . • • , Ajn — i 
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Pn 


[0] 





[0]0 or [0]1 


^[0] 


[0] 


1 


[0]0 or [0]1 


^[01 


[s] 





WO 






1 


Wi 





Notice that when party Ai, with i > 2, accepts fcj 
in step 3; the variables A'f'\ . . . , A^^'' arc all equal, 

or, all different to A\^\ . . . , a[^\ This is equivalent 
to saying that, the N realizations of Pq used in this 
first part of the protocol, have to be all in the same 
pair of events, characterized by a given sq, that is, 
, = [so]0 or A^;\..., A^r^^ = [so]l for 
. . ,N. This happens with probability 



^1 ) • 

r = 1, 



P (so) = 



[so] 



(15) 



Notice that in the case [so] = [0] , the bits fci , . . . , fcm 
are all equal, and Eve has no knowledge about them. 
If 0[o] > 0[s] for aU [s] ^ [0], the probability p(0) 
tends to one when making A' large. Thus, choosing 
a large enough Af, the honest parties can obtain a 
probability distribution that can be distilled to se- 
cret key with non-zero rate by means of the one-way 
reconciliation techniques of [3]. 

Result: An m-partite distribution of the family 
Vq can be distilled i/Ojoj > Oj^j for all [s] 7^ [0]. 
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